People are very predictable when it comes to designing phishing attacks that appeal to a potential victims with people most likely to click on messages concerning money.
A recent KnowBe4 study sent phishing test emails to roughly six million people and found users were most likely to click on the mock phishing emails when they promised money or threatened the loss of money. People were also likely to fall for phishing attacks appealing to their appetite offering free food or drinks, emails that evoked the fear of missing out on non-monetary opportunities and attacks that appealed to basic curiosity such as new contact requests or photo tags.
Researchers also saw an increased click rate with certain email subjects as well with missed deliveries and false security notifications gaining the most clicks. The top subject lines included “A Delivery Attempt Was Made” with an 18 percent click rate, “UPS Label Delivery 1ZBE312TNY00015011” with a 16 percent click rate, “Change of Password Required Immediately” with a 15 percent click rate, “Unusual sign-in activity” with a nine percent click rate, and “Happy Holidays! Have a drink on us.” With an 8 percent click rate.
“Email is an effective way to phish users when disguised as legitimate email,” the report said. “These methods allow attackers to craft and distribute enticing material for both random (general phish) and targeted (spear-phish) means, leveraging multiple psychological triggers and engaging in what amounts to a continuous maturity cycle.”
Researchers were more convincing when targeting users via social media themed email phishing attacks. LinkedIn notifications were by far the most convincing with requests to add people, join networks, reset passwords, and new messages convincing 53 percent of test subjects to click.
The study also found that login Alerts, 19 percent, tagged photos, 12 percent, free pizza and new voice message respectively gained clicks from 18 percent of test subjects.
“The most effective templates or phishes are those that cause a knee-jerk reaction in the user,” Stu Sjouwerman, CEO, KnowBe4 said. “They make him/her react without thinking due to the alarming or urgent nature of the subject.”
Sjouwerman added that cyber-criminals already know this and that these kind of subject lines will consistently work with the softest of targets and serve as an effective vector into a company. Some of the attacks may have benefited from the seasons with the package delivery phishing attacks making an uptick in Q4 near the holiday season when people are more likely to be expecting things in the mail.
“Seasonal differences really show up as Q4 was very concentrated on package delivery, no surprises there,” Sjouwerman said. “Q3 saw a larger amount of data breach or password related clicks, most likely due to the Equifax breach.”
He went on to say that initially the users were easy to trick however, the researchers quickly found that they couldn't use the same email template on the same people or subjects would wise up to the tricks so researchers had to continue to switch the templates. Regardless, researchers found that the same tactics ultimately can be used on organisational employees and still work with success before they are worn out.